A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found. AccordingA malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found. According

Compromised Injective SDK sends wallet keys through fake telemetry

2026/07/10 13:43
3 min di lettura
Per feedback o dubbi su questo contenuto, contattateci all'indirizzo crypto.news@mexc.com.

A malicious update to an Injective developer package has exposed private keys and seed phrases after being downloaded more than 300 times, Socket has found.

Summary
  • Socket found that a compromised Injective npm package copied private keys and seed phrases through fake telemetry.
  • The malicious version was downloaded more than 300 times and spread through 17 related Injective Labs packages.
  • CertiK reported that wallet compromises caused $444 million in losses during the first half of 2026.

According to security firm Socket, version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has about 50,000 weekly downloads, was altered after a developer’s GitHub account was compromised. Suspicious commits began on June 8, and the malicious release was later pinned across 17 other packages under the Injective Labs npm scope.

The security firm said the code intercepted wallet key-generation functions, recorded private keys and recovery phrases, then encoded the data and sent it through fake telemetry to a web address made to resemble an Injective server.

“Any keys or mnemonics passed through affected packages should be treated as compromised,” Socket said, warning that applications may have been exposed even if they did not install the SDK directly.

Although the compromised developer detected the intrusion quickly and the malicious package version has been removed, Socket said the campaign was not yet fully contained.

Injective CEO Eric Chen said the affected npm releases had been deprecated and the issue was fixed. Chen added that no funds on the Injective network were at risk, while Socket did not report whether the malware resulted in stolen assets.

Developers become the target

Rather than attacking a blockchain’s cryptography or smart contracts, the operation targeted software that developers use to build wallets, exchanges and applications. The Security Alliance said in its second-quarter threat report that attackers have increasingly used platforms including GitHub, npm, and Google to distribute malware.

In some incidents, SEAL said, compromised machines have been used to push malicious code into a company’s own GitHub repositories, allowing one breach to become a channel for further distribution. The report also cited more cross-platform malware packages combining infostealers, remote access trojans and backdoors, including a rise in macOS-targeted campaigns.

Axios npm releases were hit by a similar supply-chain attack in March, while the TrapDoor campaign found in May targeted developers working in crypto, DeFi, artificial intelligence and security. GitHub also disclosed unauthorised access to internal repositories on May 20 after an employee device was compromised.

Wallet compromises were the costliest crypto attack method in the first half of 2026, accounting for $444 million stolen across 33 cases, according to CertiK.

Injective, an interoperable layer 1 for DeFi applications, has seen its total value locked fall 88% from a mid-2024 peak of $71 million to $8.2 million, DefiLlama data shows. Earlier this year, community members approved IIP-617, accelerating reductions in new INJ issuance while retaining existing token burns.

World Cup Combo: Aim for 200x

World Cup Combo: Aim for 200xWorld Cup Combo: Aim for 200x

Combine up to 20 World Cup matches in one order

Disclaimer: gli articoli ripubblicati su questo sito provengono da piattaforme pubbliche e sono forniti esclusivamente a scopo informativo. Non riflettono necessariamente le opinioni di MEXC. Tutti i diritti rimangono agli autori originali. Se ritieni che un contenuto violi i diritti di terze parti, contatta crypto.news@mexc.com per la rimozione. MEXC non fornisce alcuna garanzia in merito all'accuratezza, completezza o tempestività del contenuto e non è responsabile per eventuali azioni intraprese sulla base delle informazioni fornite. Il contenuto non costituisce consulenza finanziaria, legale o professionale di altro tipo, né deve essere considerato una raccomandazione o un'approvazione da parte di MEXC.

$5M in SPCX Positions for Free

$5M in SPCX Positions for Free$5M in SPCX Positions for Free

0 fees, 100x leverage, daily prizes, 7K+ stocks/ETFs